Healthcare Portals, Patient Photos Pose Possible Data Security Gaps

As the healthcare industry continues to confront cybersecurity threats and seek ways to improve defenses, it must consider every avenue that might lead to access to patient information.

Some potential gaps are not as obvious, and providers must look carefully at any potential gap in their perimeter defenses, says security professional Keith Fricke.

For example, there is a potential security gap within the patient portals that providers are offering to patients as they seek to comply with requirements of the electronic health records meaningful use program, says Fricke, principal consultant at tw-Security in Overland Park, Kan.

Keith Fricke Many cyber criminals have the acumen to insert malicious code into frequently visited web sites, and when a person accesses the site, that code attempts to download to a user’s computer.

If a user’s computer doesn’t have security controls and becomes infected with the malicious code, and then the user accesses the hospital’s patient portal, malware might be able to give a criminal access the patient’s infected computer, and the criminal may learn of the patient portal, Fricke says.

The criminal could insert code on an insecure portal and attempt to infect other users visiting the portal. Over time, a criminal could harvest individual PHI from the growing number of compromised patient home computers, Fricke contends.

Another security worry for Fricke is the lack of attention to securing digital photos of patients taken in a hospital’s wound department or taken by Sexual Assault Nurse Examiners (SANE) in emergency departments.

Photos used to be taken with a camera that produced instant photos on film. Today, digital cameras are used, and not of them are secure devices, Fricke contends. Photos of wounds may contain patient information, such as a ruler with a patient’s name and medical record number written on it. SANE protocols usually include taking a series of photos that start and end with the victim holding a grease board containing their name and medical record number. Photos with these characteristics are considered protected health information, Fricke says.

These types of back-door vulnerabilities need as much attention as risks that are more obvious and are getting more press, Fricke believes, and security professionals need to look at workflow processes and be well read on consumer vulnerabilities that may impact perimeter defenses.